Earlier today, I ran across a compromised website with injected script from both the pseudo-Darkleech campaign and the EITest campaign. This is similar to another compromised site I reported back in June 2016, shortly after Angler exploit kit (EK) disappeared from the EK scene [1]. At that time, the pseudo-Darkleech and EITest campaigns had switched to Neutrino EK.

Earlier week, we saw reports on pseudo-Darkleech and EITest switching between Neutrino EK and Rig EK [2, 3]. These two campaigns have a history of switching EKs [4, 5, 6, 7]. Because of that, I generated infection traffic from both campaigns campaigns using the same compromised site. This diary examines infection from both campaigns.

Shown above: Flow chart for one compromised website used by two campaigns.

In the images below, you'll find injected script from both campaigns in the same web page.

Shown above: Injected script from the pseudo-Darkleech campaign at the beginning of the page.

Shown above: Injected script from the EITest campaign near the end of the same page.

As previously noted, I've never seen both infections at the same time. I've only generated EK traffic from one campaign or the other. Injected script from the pseudo-Darkleech campaign tends to prevent injected script by other campaigns from running.

Pseudo-Darkleech Neutrino EK infection

By July 2016, injected script from the pseudo-Darkleech campaign had changed patterns, and that pattern of injected script remains in use as of mid-August 2016. In today's infection traffic from the pseudo-Darkleech campaign, we saw Neutrino EK send CrypMIC ransomware.

Shown above: Traffic from the pseudo-Darkleech infection filtered in Wireshark.

For those unfamiliar with CrypMIC ransomware, it's a new branch of the CryptXXX family first reported on 2016-07-06 [8]. At first, I continued calling it CryptXXX, despite some noticeable differences in post-infection activity. Others soon noticed this new branch was using a different versioning format than the original branch of CryptXXX [9]. By 2016-07-20, TrendLabs analyzed the new branch, dubbing it "CrypMIC" [10], and I've been calling it CrypMIC ever since.

The infected host looks like we've seen in recent CrypMIC infections. Of note, I haven't seen any infections using the previous branch of CryptXXX since 2016-07-25 [11].

Shown above: Desktop of the infected Windows host after rebooting.

EITest Rig EK infection

Injected script and traffic patterns from the EITest campaign have remained relatively consistent since Malwarebytes first identified this campaign in 2014 [12]. Back then the EITest campaign usually led to Angler EK. We've seen it switch back and forth between Angler EK and Neutrino EK in 2015 and 2016. After Angler EK disappeared, the EITest campaign appears to have stuck with Neutrino EK until recently. Earlier this week, the EITest campaign led to Rig EK [2]. Today's EITest infection chain also led to Rig EK, and it delivered a possible Vawtrak variant.

Shown above: Traffic from the EITest infection filtered in Wireshark.

Reading the pcap with Snort 2.9.8.3 using the Snort subscriber ruleset, I saw alerts for the EITest gate and Rig EK. I also saw an alert for an .ru domain.

Shown above: Alerts from reading the pcap with snort (image 1 of 2).

Shown above: Alerts from reading the pcap with snort (image 2 of 2).

Using the ET Pro rulset, I saw alerts for Rig EK. Of note, Sundown EK has traffic patterns similar to Rig EK, so we see alerts for Sundown EK also in the list. But Sundown EK delivers its payload using different URL patterns than Rig EK, and the overall traffic is a solid fit for Rig EK.

We also see alerts for a possible Vawtrak variant that fit recent updates Vawtrak has reportedly made over the last few weeks [13].

NOTE: Keep in mind that IP addresses and domains for both Neutrino and Rig EKs are constantly changing. The IOCs will probably have changed by the time you read this.

Final words

As always, properly administered Windows hosts following best security practices (up-to-date applications, latest operating system patches, software restriction policies, etc) should not be infected when running across these campaigns.

Unfortunately, a large percentage of people don't follow best practices, and their computers remain at risk. Until this situation changes, actors distributing malware through EK-based campaigns remain a significant threat.